A little more fuel for the SAQ A vs SAQ A-EP fire is included so I updated the list of supporting info in the “SAQ A vs A-EP – lots of links” post. SAQ A is good for iFrames and redirects, SAQ A-EP includes the controls for the webserver.

It looks like there might be a small mistake in the SAQ A-EP eligibility criteria. Although the council removed this from the table in the “Understanding the SAQs for PCI DSS v3″ doc, it was not removed from the criteria for SAQ A-EP v3.1:
“Your e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor;”

When consumers are redirected, it appears to be clearly a SAQ A, so this criteria might be reworded. I can see more evolution coming here in the future and light at the end of the tunnel.